Skip to content

References

Jump to bottom
Max edited this page Mar 6, 2022 · 2 revisions

Cryptographic Misuse

  • P. Gutmann, Lessons Learned in Implementing and Deploying Crypto Software in Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002 (D. Boneh, eds.), 2002, pp. 315–325 [BibTeX]

    Best practices for cryptographic API design are suggested based on annecdotes.

  • D. J. Bernstein, T. Lange, and P. Schwabe, The Security Impact of a New Cryptographic Library in Progress in Cryptology – LATINCRYPT 2012 – 2nd International Conference on Cryptology and Information Security in Latin America, Santiago, Chile, October 7-10, 2012. Proceedings (A. Hevia and G. Neven, eds.), 2012, pp. 159–176 [BibTeX]

  • M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, An Empirical Study of Cryptographic Misuse in Android Applications in 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4-8, 2013 (A.-R. Sadeghi, V. D. Gligor, and M. Yung, eds.), 2013, pp. 73–84 [BibTeX]

  • K. Cairns and G. Steel, Developer-resistant Cryptography in A W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT), 2014, pp. 1–4

    Motivates considering security aspects for API design, especially for cryptographic libraries.

  • S. Das, V. Gopal, K. King, and A. Venkatraman, IV=0 Security: Cryptographic Misuse of Libraries, 2014

    They look at typical caveats in cryptographic libraries and suggest best practices for the API design of cryptographic libraries. They suggest to use NaCl based on their comparison.

  • D. Lazar, H. Chen, X. Wang, and N. Zeldovich, Why Does Cryptographic Software Fail?: A Case Study and Open Problems in Asia-Pacific Workshop on Systems, APSys'14, Beijing, China, June 25-26, 2014, pp. 1–7 [BibTeX]

  • Y. Li, Y. Zhang, J. Li, and D. Gu, iCryptoTracer: Dynamic Analysis on Misuse of Cryptography Functions in iOS Applications in Network and System Security – 8th International Conference, NSS 2014, Xi'an, China, October 15-17, 2014, Proceedings (M. H. Au, B. Carminati, and C.-C. J. Kuo, eds.), 2014, pp. 349–362 [BibTeX]

  • S. Arzt, S. Nadi, K. Ali, E. Bodden, S. Erdweg, and M. Mezini, Towards Secure Integration of Cryptographic Software in 2015 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software, Onward! 2015, Pittsburgh, PA, USA, October 25-30, 2015 (G. C. Murphy and G. L. S. Jr., eds.), 2015, pp. 1–13 [BibTeX]

    The main goal of this work is to prevent misuse of cryptographic libraries. Developers have to chose a scenario they want to implement securely. The cryptographic techniques to secure the scenario then are automatically deduced and Java code is generated.

  • A. Chatzikonstantinou, C. Ntantogian, G. Karopoulos, and C. Xenakis, Evaluation of Cryptography Usage in Android Applications in BICT 2015, Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), New York City, United States, December 3-5, 2015 (J. Suzuki, T. Nakano, and H. Hess, eds.), 2015, pp. 83–90 [BibTeX]

    An overview of possible caveats when using cyptographic libraries.

  • B. Schneier, Cryptography Is Harder than It Looks in IEEE Security & Privacy, 2016, pp. 87–88 [BibTeX]

  • S. Nadi, S. Krüger, M. Mezini, and E. Bodden, Jumping Through Hoops: Why Do Java Developers Struggle with Cryptography APIs? in Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016 (L. K. Dillon, W. Visser, and L. Williams, eds.), 2016, pp. 935–946 [BibTeX]

Clone this wiki locally